Security enforcement in virtualized systems

US 9,596,268 B2
Filed: 02/12/2015
Issued: 03/14/2017
Est. Priority Date: 03/18/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first server to;

receive information about a first application and a second application of a second server;

receive identity information of a user,the user being associated with a client that is connected to a third server, andthe third server executing an operating system for the client;

determine access control information based on the information about the first application and the second application and based on the identity information; and

provide the access control information to an enforcer,the operating system being provided, by the enforcer, selective access to the first application or the second application based on the access control information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.

Citations

20 Claims

1. A system comprising:
- a first server to;
  
  receive information about a first application and a second application of a second server;
  
  receive identity information of a user,the user being associated with a client that is connected to a third server, andthe third server executing an operating system for the client;
  
  determine access control information based on the information about the first application and the second application and based on the identity information; and
  
  provide the access control information to an enforcer,the operating system being provided, by the enforcer, selective access to the first application or the second application based on the access control information.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1,where the first server is further to:
    - receive, from an agent of the third server, health information regarding the operating system, andwhere, when determining the access control information, the first server is to;
      
      determine the access control information based on the information about the first application and the second application, based on the identity information, and based on the health information.
  - 3. The system of claim 1, where, when receiving the identity information, the first server is to:
    - receive, from an agent of the third server, the identity information of the user.
  - 4. The system of claim 1, where, when receiving the information about the first application and the second application, the first server is to:
    - receive, from an only agent of a hypervisor of the second server, the information about the first application and the second application.
  - 5. The system of claim 1,where the operating system includes a first operating system,where the third server includes the first operating system and a second operating system,where, when determining the access control information, the first server is to:
    - determine, for the first operating system, first access control information based on the information about the first application and the second application, based on the identity information, and based on information regarding the first operating system, anddetermine, for the second operating system, second access control information based on the information about the first application and the second application, based on the identity information, and based on information regarding the second operating system,where the second access control information is different from the first access control information, andwhere the access control information includes the first access control information and the second access control information.
  - 6. The system of claim 1, where, when providing the access control information, the first server is to:
    - receive, from the enforcer, a request for the access control information, andprovide the access control information to the enforcer based on the request.
  - 7. The system of claim 1, where the access control information indicates that the operating system cannot access external network resources while accessing the first application of the third server.

8. A method comprising:
- receiving, by a first server, information about a first application and a second application of a second server;
  
  receiving, by the first server, identity information of a user,the user being associated with a client that is connected to a third server, andthe third server executing an operating system for the client;
  
  determining, by the first server, access control information based on the information about the first application and the second application and based on the identity information; and
  
  providing, by the first server, the access control information to an enforcer,the operating system being provided, by the enforcer, selective access to the first application or the second application based on the access control information.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, where providing the access control information to the enforcer comprises:
    - providing the access control information to the enforcer without receiving a request for the access control information from the enforcer.
  - 10. The method of claim 8, further comprising:
    - receiving, from an agent of the third server, health information regarding the operating system,where determining the access control information comprises;
      
      determining the access control information based on the information about the first application and the second application, based on the identity information, and based on the health information.
  - 11. The method of claim 8, where receiving the identity information comprises:
    - receiving, from an agent of the third server, the identity information.
  - 12. The method of claim 8,where the operating system includes a first operating system,where the third server includes the first operating system and a second operating system,where the access control information includes:
    - first access control information for the first operating system, andsecond access control information for the second operating system, andwhere the second access control information is different from the first access control information.
  - 13. The method of claim 8, where a first type of the first application is different from a second type of the second application.
  - 14. The method of claim 8, where the access control information indicates that the operating system cannot access external network resources while accessing the first application of the third server.

15. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by at least one processor of a first server, cause the at least one processor to;
  
  receive information about a first application and a second application of a second server;
  
  receive identity information of a user,the user being associated with a client that is connected to a third server, andthe third server executing an operating system for the client;
  
  generate access control information based on the information about the first application and the second application and based on the identity information; and
  
  provide the access control information to an enforcer,the operating system being provided, by the enforcer, selective access to the first application or the second application based on the access control information.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, where the one or more instructions to generate the access control information comprise:
    - one or more instructions that, when executed by the at least one processor, cause the at least one processor to;
      
      receive a request for the access control information, andgenerate, only after receiving the request, the access control information based on the information about the first application and the second application and based on the identity information.
  - 17. The non-transitory computer-readable medium of claim 15, where the one or more instructions to generate the access control information comprise:
    - one or more instructions that, when executed by the at least one processor, cause the at least one processor to;
      
      receive, from an agent of the third server, current activity information of the operating system, andgenerate the access control information based on the information about the first application and the second application, based on the identity information, and based on the current activity information.
  - 18. The non-transitory computer-readable medium of claim 17, where the current activity information includes information regarding current network connections of the operating system.
  - 19. The non-transitory computer-readable medium of claim 15, where the one or more instructions to generate the access control information comprise:
    - one or more instructions that, when executed by the at least one processor, cause the at least one processor to;
      
      receive, from an agent of the third server, the identity information.
  - 20. The non-transitory computer-readable medium of claim 15, where the access control information indicates that the operating system cannot access external network resources while accessing the first application of the third server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Narayanaswamy, Krishna, Chickering, Roger A., Malmskog, Steven A.
Primary Examiner(s)
LE, CHAU D

Application Number

US14/620,901
Publication Number

US 20150156219A1
Time in Patent Office

761 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/604   Tools and structures for ma...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5077   Logical partitioning of res...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Security enforcement in virtualized systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security enforcement in virtualized systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links